Penetration Testing Risks

Introduction

Presently, the idea that information governs the world is not anything new. The swifter and quicker business develops its technological and information framework, the higher is the risk of malicious access to the information. Commercial, financial, managerial, HR and other information is of interest not only for the company where it is created and used, but also for its competitors, and for people who can take hold of it for the purpose of further unauthorized usage and resale. The need for data security is always growing.

Data security is a state of data protection when their integrity, availability and confidentiality are ensured. Information integrity means that the information does not change when it is stored or transmitted; availability means that authorized persons can use the information and access it at any time; confidentiality means unavailability of information for those who are not authorized for sufficient and lawful access to it.

Information audit can be used to ensure data security. Generally, audit is performed to estimate the current level of data security, to assess possible risks during information storage and use in the company, and also to determine high-priority measures that will minimize the risks and information leakage threat. During audit, we reveal the security level provided in the automated system, and collected statistics helps determine further steps to reach complete information security in the company.

Security audit types include penetration tests (or "pentests") aimed at determination of various vulnerability search methods and ways for intrusion into company' information systems from the outside, for example, via the Internet. Penetration tests are mainly performed to estimate the overall company level of protection from external threats and directed attacks, and also to document the actions and to create a report on them.

In most cases, the testing procedure consists of three steps, and each of the steps includes a number of quite specific jobs. The first step covers operations planning and preparation. The second step includes penetration into the automated system itself, and the third step is report creation and, possibly, recommendations to improve data security.

More often, a company admits penetration testing when it needs to evaluate possible damage from malicious activities, to estimate the security level of specific company information assets, to determine the most vulnerable places in the information security system or to assess the measures taken by the company staff members in case of penetration attempts.

However, one must not think that the testing procedure guaranties complete security for the company. Sometimes this is not true, as long as any penetration attempt may cause unexpected and crucial results for the audited company. There are two major groups of risks we should always keep in mind.

Risks due to the Testing Company

The first group of risks is caused directly by the company that performs the security audit in the customer company. In other words, a company wishing to have reliable data security checks whether the information is accessible from the outside by intentionally making it accessible, because a lot of vulnerabilities are usually revealed during pentests and testers access the protected data.

Is it actually so bad? If the customer wishes to have penetration tests performed, the Customer signs a non-disclosure agreement with the testing company. Despite that the most of companies think this is enough, each penetration test brings additional risks. We should keep in mind that each auditor group consists of persons, and the human factor cannot be ignored.

First of all, it is the human factor that makes different penetration testing companies perform pentests differently. Thus, vulnerabilities that can be revealed by one group will remain unknown for another group, and vice versa. That is why, logically, you cannot completely rely on the results of penetration tests to ensure information security. Real penetration threat exists anyway, as long as different groups and different hackers can apply various methods to the revealed vulnerabilities. In other words, such testing will not fully guarantee security in the customer company.

Even when the testing is finished and vulnerabilities have been found in the customer automated system, the testing company can simply save the obtained information on the software, network structure, etc. or conceal some vulnerabilities from the customer. Also, the tested company will now be open to all risks of the auditing company.

The point is that it is too hard to maintain security within the company. And the risk that employees of the testing company – for example, after they're fired – will use the information to their own benefit or to the benefit of competitors. This is not a rare situation, and the statistics for such cases, unfortunately, do grow.

Often, client information leaks from companies that trust too much to their IT service providers (the latter can be outsourcing companies, processing centers, security audit companies). According to the American telecommunication company Verizon Communications, more then a half of all known information leaks in restaurant and retail shop networks and other organizations that, for whatever reasons, cannot afford high-grade IT staff, are due to unfair partners from the outside or the companies offering information security audit services.

Here is a specific example. In 2009, the owner of a large IT company in the USA engaged in information audit and outsourcing services was accused of theft of confidential data of more than 8 million people. All information was coming from large serviced companies, and the investigation revealed that the created database was intended for sale to competitors. Details of what data had been stolen, and the list of the aggrieved organizations were not published in the interests of the investigation, but it was known for sure that during the audit, information on the organizations network operation was carefully gathered for the purpose of further illegal use and theft.

Another well-known case is BCBS, an affiliated company of WellPoin, the major insurer of the United States. The company service allowed customers to check their documentation status in real time. But during server technical upgrade and vulnerability check, some information leaked, and customers' credit card numbers, medical reports and their credit insurance card numbers have been compromised. The amount of victims exceeded 470 thousand clients.

After server security system upgrade using the scenario planned by the experts, manipulations were possible in the service that allowed substituting parameters with random values. And though the employees of the company responsible for project security system monitoring and operation support assured that there were no changes in the software, it was not the case. Software logs showed a few attempts of unauthorized access to client information.

As illustrated by the examples, unfair companies among those who can render information audit services are not a rare exception. And though data leakage due to own company employees or insiders seems the most probable, it usually does not make sense to impose the company to additional risks for the sake of false safety feeling.

Even when you do need penetration testing from the outside, you must first carefully examine reputation of the company to conduct the research. But the company's reputation is not enough. Find out as much as possible about the company management and technicians. Because even a perfect-reputation company that provides high-quality security audit services might employ persons who secretly help competitors with the main intention of accessing the protected information without testing interruption.

Part of information being used internally by the company has a long lifespan, meaning that if such information becomes available to anyone else even after a few months, the company will still suffer essential losses. Thus, one must be very careful when attracting external human resources and pay attention not only to their skills, cost and quality, but also to potential consequences of granting them access to the company information assets.

Another threat during penetration tests is the investigation of various attack scenarios. Employees of the auditor company can document only some of the vulnerabilities revealed in the information protection system, while the remaining vulnerabilities can still be used by hackers.

Technical Risks

Even when penetration tests bring good results, eliminating lots of vulnerabilities, they still do not guarantee that information will remain inaccessible in a few days, weeks, or months. The point is that new vulnerabilities arise every day, new types of attack are used, and even some old vulnerabilities can be utilized a-new with the course of time. No information security organization can possess the complete information on all vulnerabilities. That is why vulnerabilities that will be used tomorrow may strongly differ from the existing ones.

By providing fast operation in data networks and using the Internet in daily activities, companies make their business more effective and flexible, on the one hand, but at the same time, increase the risks, because absolutely secure systems do not exist. Failures of network protocols and services, faults in network equipment operation may cause not only direct financial losses to the company, but also loss of reputation, the latter being a more serious harm for many large companies means as compared to financial losses. Information security becomes more and more important, since more and more services allow maintaining customer relations directly via the Internet.

Usually, vulnerability means that the malicious user can make the application perform an operations for which user has insufficient or no rights at all by issuing a corresponding command. And though there are detection tools for different types of vulnerabilities, they can never substitute a person's experience during information security research.

In the attempts of security provision, management of many companies often makes severe errors that may result in further serious consequences for the company. Among them are:

The company's staff is excessively confident in reliability of the security technologies used.

Accurate technical information on the security level does not exist.

There is no clear information security policy.

IT department staff qualification is insufficient.

The personnel wrongly think that there is no important information for hackers in the company's information system.

The personnel wrongly think that company's web site/server cracking will not result in serious losses.

Based on of last-year statistics gathered during analysis of almost 12 thousand of various programs and web applications, more than 97 thousand vulnerabilities has been found. They differ in their threat level, but more than a half of them are urgent and critical, the data from 13% of systems can be automatically compromised. In the course of detailed testing, the probability of revealing critical vulnerabilities reaches extreme rates – from 80% to 96%.

Any company can suffer from cyber attacks regardless of its business. Of course, hackers are mainly interested in large organizations, but small companies usually suffer more severe damages from such illegal activities. Small companies, as well as mid-sized businesses, often suffer from harmful software and viruses, which are becoming harder to neutralize. Note that data security companies themselves are often the target for directed network attacks.

Interesting statistics has been published by Ponemon Institute. The research, in which the information received from 45 large American companies had been used, showed how great are the losses of a company from attacks using the vulnerabilities in the information system. On the average, companies lose a little less than four million dollars per year due to such faulty conditions, and this figure ranges from one million for medium-scale companies to 52 million dollars. Struggle against network data leakages, attacks of companies' web sites and online services, and also harmful software distribution, constitutes the lion share of costs for information security maintenance. But nevertheless, the studied companies had been exposed to more than 50 successful attacks per week during which hackers could have plundered the data.

As proved by the above impressive statistics, hackers do their criminal business with impunity. While competition in this field grows, prices for computer network cracking and information theft fall, but hackers' proficiency continues to increase. Among all hackers, no more than ten persons are exposed to criminal liability a year, and for some frauds with a mullions-strong turn the hackers are subject to conditional prison sentence. Experts think that such avalanche-like growth of criminality in information technologies is a considerable threat for any business.

Conclusion

In conclusion, we have to emphasize the fact that the situation in the field of information protection is rapidly changing, and a company must response to each change as promptly as possible. Any new vulnerability revealed, any weakness of an anti-penetration system may result not only in direct financial losses, but also in irrevocable loss of partner reputation, which is often much more important.

Hackers' arsenal grows with new complicated software and hardware, and their proficiency has long ago advanced the proficiency of an average employee in an IT or information security department. A company can protect itself from possible threats only by constantly paying attention to network and other resources integrity and security. As for now, vulnerabilities have been found out in all operating systems. Once again, this is to prove that no absolute security can be guaranteed, and will not be guaranteed in the nearest future.

But you can keep your risks at a minimum. For this purpose, prompt staff response in case of threat detection is crucial, as well as timely installation and update of anti-virus software and firewalls, installation of all critical and essential operating systems updates. Staff overall awareness on the recent known vulnerabilities, viruses and harmful software is also important.

Many organizations resort to penetration tests as the last possible measure. But now, this measure is expensive and ineffective. During such test, only part of existing vulnerabilities will be discovered, meanwhile new methods for information security breaks appear almost every day. One must understand that even a large company providing computer audit services may be exposed to its own internal data leakage risks. Thus, entrusting such company with detailed information about network structure, operations and protocols means taking and covering all risks of the company. So, pentests usually grant you false, illusory safety.

Internal network audit methods are more effective than penetration testing. A company must use software for access restriction, user activity monitoring and data encryption, and also network activity logs must be monitored on a regular basis. This is a necessary condition for keeping the information loss risk at an acceptable minimum.